MediaMetz/gemini-cli
1
0
Fork 0
mirror of https://github.com/google-gemini/gemini-cli.git synced 2026-05-21 09:13:05 -07:00
Code Issues Packages Projects Releases Wiki Activity

fix(core): restore strict sanitization config and allow list precedence

Browse Source
This commit is contained in:
Christian Gunderman
2026-05-15 13:12:23 -07:00
parent 1ff17334a9
commit 998e94a32f
2 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/core/src/services/environmentSanitization.test.ts
+2 -2
View File
@@ -370,7 +370,7 @@ describe('getSecureSanitizationConfig', () => {
);
});
it('should not filter out variables from allowed list that match NEVER_ALLOWED_NAME_PATTERNS', () => {
it('should filter out variables from allowed list that match NEVER_ALLOWED_NAME_PATTERNS', () => {
const requestedConfig = {
allowedEnvironmentVariables: ['SAFE_VAR', 'MY_SECRET_TOKEN'],
};
@@ -378,7 +378,7 @@ describe('getSecureSanitizationConfig', () => {
const config = getSecureSanitizationConfig(requestedConfig);
expect(config.allowedEnvironmentVariables).toContain('SAFE_VAR');
expect(config.allowedEnvironmentVariables).toContain('MY_SECRET_TOKEN');
expect(config.allowedEnvironmentVariables).not.toContain('MY_SECRET_TOKEN');
});
it('should deduplicate variables in allowed and blocked lists', () => {
packages/core/src/services/environmentSanitization.ts
+6
View File
@@ -213,6 +213,12 @@ export function getSecureSanitizationConfig(
if (NEVER_ALLOWED_ENVIRONMENT_VARIABLES.has(upperKey)) {
return false;
}
// Never allow variables that match sensitive name patterns
for (const pattern of NEVER_ALLOWED_NAME_PATTERNS) {
if (pattern.test(upperKey)) {
return false;
}
}
return true;
});